Chapter 8
SATAN and the Internet Inferno

“We walked together towards the shining light, discussing things that here are best kept silent, as there they were most fitting for discussion.”

—Dante Alighieri, Inferno

Some people think that open discussion of network security problems is an invitation to disaster. Claiming “security through obscurity” to be an additional layer of protection, they are content to trust software creators and vendors to protect their systems. The release of the SATAN program in April 1995 created an uproar with this group. A few of them even tried to get the government to halt SATAN’s release.

SATAN, a Unix program that quickly checks for the presence of vulnerabilities on remote systems, offers an easy way for the average user to quickly examine the network security of computer systems. Although a few other similar programs had been available before, including an early version of SATAN, no other program ever caught the imagination of the media to the extent that SATAN did. The interesting name, the uniqueness of one of the creators, and the topic of Internet security certainly added to the publicity of SATAN; however, SATAN did contribute materially to network security monitoring in other ways.

SATAN features an easy-to-use interface, an extensible framework, and a scaleable approach to checking systems. First, the user interface consists of HTML pages that are used through a Web browser such as Mosaic or Netscape. A user can learn quickly and easily to use SATAN by pointing and clicking on these web pages. Second, although SATAN is available with several security tests built in, the general structure of SATAN permits a user to easily add additional probes. Finally, SATAN can easily be used to check many systems in a quick, automated scan. These three innovations made the release of SATAN a significant advance in the field of network security programs.

The primary contribution of SATAN, however, is its novel approach to security. It takes the view that the best way a system administrator can ensure the security of a system is by considering how an intruder would try to break into it. The creators of SATAN first created the program to automate attacks, described in a paper called Improving the Security of Your Site by Breaking Into It (Farmer & Venema, 1993).

An analogy might clarify the importance of SATAN. In some ways, the Internet can be compared to an electronic version of a large neighborhood. If, one night, you forget to lock one of your windows in your neighborhood, it may not matter. If you live in a nice neighborhood, you might leave it open on purpose. However, if a burglar tried to break into your house on the night that a window was left open, it would certainly simplify his job.

Now, imagine that someone invented a device that would scan a neighborhood and report all the houses that had windows or doors unlocked. In the hands of a conscientious apartment manager or policeman, such a tool would help to ensure the safety of the neighborhood. In the hands of a burglar, however, such a tool would make finding a vulnerable home quite easy. SATAN is that device for the Internet.

Using SATAN, hackers anywhere in the world can scan every networked system on the Internet. These potential intruders do not have to be particularly bright, because SATAN is easy to use. These intruders do not have to have accounts on the target systems, or even be in the same country as the systems, because the Internet offers worldwide connectivity. These intruders do not even have to know about the existence of the systems, because network ranges can be used for targets.

For a conscientious system administrator, SATAN can be used to ensure the safety of the networked hosts. However, because every intruder in the world can quickly identify vulnerable hosts, it “raises the bar” of required security to new heights. If you “live in a nice neighborhood,” meaning that your network is behind a well-maintained firewall and the vast majority of users are trustworthy, you may not need as much security. However, for hosts directly on the Internet, relying on the obscurity of open windows is no longer acceptable. The windows must always be locked.

Before describing the SATAN program in great detail, this chapter investigates the nature of network attacks. A detailed explanation of how a hacker, with nothing more than Internet access, would manually gather information about a target is then presented. Next, the exact details on the security holes searched for by SATAN are studied, as well as other network holes. Finally, SATAN is examined, including an example of extending SATAN to cover a new security problem.

The important message that SATAN brings is this: thinking like an intruder can help you to improve the security of your systems.

This section describes some of the general issues surrounding network security, the topic that SATAN was designed to investigate. Although no designer consciously puts security holes into software, tensions frequently exist between a software program’s ease of use, its functionality, and its security. Such tension, combined with the ever-present opportunity for programming mistakes by the software designers, have frequently resulted in software programs that include security holes. Add configuration errors (netgroup mistakes), user shortcuts (xhost + ), and organizational policy mistakes (NFS servers on the Internet) to these design flaws, and the result is a catalog of vulnerabilities for a wily intruder to prey upon.